ORWL computer - Worlds Most Secure Home Computer Ever
We’ve all heard tales of foreign intelligence entities breaking into hotel rooms and cloning a person’s hard drive while he or she is in the bar downstairs.You might dismiss it as the stuff of urban legend or Jason Bourne movies, but this style of attack does highlight one of the most basic weaknesses of today’s PCs: Their data is extremely vulnerable once an attacker has physical access to a machine. Cold boot attacks, exploits, or DMA attacks over FireWire, among other breaches, are all possible if a bad actor can get his or her hands on the hardware.
It’s this very attack vector that inspired
Design Shift’s ORWL
computer (named for writer George Orwell). Now, having exceeded
its $25,000 funding goal on Crowd Supply, the super-secure PC is in production.
[The tiny ORWL is designed to defeat known physical attacks on a PC and even runs on decent hardware.]
The ashtray-sized x86 PC is built to
prevent entry into the machine. For example, on a typical PC, if you set a BIOS
password to prevent tampering, it’s easy enough to bypass it by pulling the
BIOS backup battery. And even if you had set the PC to trip an alarm and erase data when the case is
cracked open, that won’t matter if the attacker drills a hole into the case and
disables the pressure switch.
Multiple pressure sensitive switches and
all-encompassing wire mesh makes it nearly impossible to break into the ORWL
without tripping an alert.
With the ORWL, the entire shell (available
in glass or plastic) features multiple pressure switches and a wire mesh
barrier. If the PC is tampered with, it will trigger an alert and erase the
PC’s encryption key, making the data totally inaccessible. The ORWL uses an
Intel 540-series SSD, which features full drive AES-256 encryption.
The encryption key to the drive is stored on a security
microcontroller instead of the drive, and only after the microcontroller has
verified that the system is secure.
The ORWL makers say the wire mesh itself is
constantly monitored, its impedance measured with randomly generated data sent
by the PC’s security microcontroller. Any attempts to trick, bypass, or short the
wire mesh will cause the encryption key to be deleted. The unit’s security processor
also monitors movement, and a user can select a setting that will wipe or lock
down the PC’s data if it is moved to another location.
The company says the ORWL technology is
similar to that used on ATM and other devices that need to safeguard their
internal electronics from penetration.
[You can see how dense the mesh barrier is on the ORWL’s body. Break-even just one of the traces and the data on the SSD will be immediately rendered inaccessible.]
Freezing won’t help either
Lest you think you can freeze the ORWL to slow down the electrons in its security controller and render it
ineffective, think again. The microcontroller in the ORWL monitors' temperatures
and any drastic change can trigger an alert and nuke the encryption key.
It’s also been known for years that
RAM can retain information for seconds after being powered down. Cool that RAM
with compressed air or liquid nitrogen, and it’ll retain the information even
longer—long enough to potentially extract an encryption key or any other data that are in memory. On the ORWL, such an attack is not possible because the RAM
is soldered to the motherboard and can’t be easily removed to be read
elsewhere.
Design Shift says its design limits the
exposure of the encryption key to brief amounts of time, such as during a boot.
When the system is sleeping, the key is not stored in the main memory or on the SSD
but on the security microcontroller.
ORWL said it also designed the boot
sequence to wipe the RAM before POST to prevent an attacker from somehow
inserting code into the memory during boot.
[An OLED screen is integrated into the ORWL PC for use during
boot-up.]
Secure keyfob
Your ORWL unlocks by using a secure NFC and
Bluetooth LE key-fob. Pressing it against the top of the ORWL and entering a
password authenticates the user. Once the user has been authenticated,
Bluetooth LE is then ensured that the user is always nearby. Walk away, and the
ORWL will lock.
The key-fob communications are encrypted and
the fob is also protected by its own on-die security mesh to prevent tampering.
USB and PCIe attacks are also blocked
Design Shift has also taken precautions
against the threat from external devices. The ORWL features just two USB Type C
ports (in addition to HDMI), and the system cannot boot from external devices
unless intentionally set to. ORWL’s designers also say those two USB ports are
switched off once the secure key-fob has gone out of range.
[The ORWL features Sky-lake based Core m3 or Core m7 CPU and 8 GB of RAM.]
It’s real hardware, too
The ORWL has surprisingly capable parts,
despite its minuscule size. I expected it to be built on a lower-performance
Atom X7 or a Bay Trail chip, but the ORWL uses Intel’s Sky-lake CPUs. There are
two configurations: one with Core m3 and one with Core m7.
Both configurations
have 8GB of RAM, and SSD capacities range from 120 GB to 480 GB. As mentioned,
ports include micro-HDMI and two micro-USB C ports.
The Core m3 version with a
120GB drive and Windows 10 costs $749 on Crowd-Supply.
A Core m7, 480 GB SSD, and
Windows 10 will set you back $1,099.
OS options also include Ubuntu LTS and
Qubes.
Why not a laptop?
One big drawback of the ORWL is that it’s
not a complete portable solution. You still need a monitor, keyboard, and
mouse. When asked why not a laptop, Design Shift officials point to the
challenges of having that much more hardware to secure.
The other obvious problem is that hardware
security is only half the equation. The ORWL may be difficult to breach
physically, but there are countless other threats to our PCs and data that come
from the outside, over the internet, via wireless communication, even social
engineering.
Is the ORWL giving users a false sense of security?
To be fair, the ORWL doesn’t promise to secure your
data from every possible point of attack, but it can at least make getting to
the data on your computer a hell of a lot harder.